1 What is claimed is: 

2 

3 1. A page fault proxy handler for connection to an original page fault handler and a 

4 paging table in which supervisor flags for all entries for all writable memory pages have 

5 been pre-set, the page fault proxy handler comprising: 

6 a page fault detector; 

7 a mitigation module; 

8 a page fault filter, connected to the page fault detector, wherein the filter passes to 

9 the original page fault handler page faults not arising from an attempt to access a writable 

10 page by a user mode program; 

1 1 a controlled memory access module, wherein the controlled memory access 
/q 12 module permits a user program to access a writable page of memory by changing an 
v ^ 13 associated supervisor flag in the paging table; and 

: ,p 14 an execution address checker, connected to the page fault filter, the mitigation 

!:™ 15 module and the controlled memory access module, wherein the execution address checker 

rij 16 passes to the mitigation module only page faults arising from an attempt by a user mode 

g; 17 program to execute from a predetermined section of executable memory, and wherein the 

^ 18 execution address checker passes to the controlled memory access module page faults 

;;fl 19 arising from any other attempt by a user mode program to access a writable page. 

y 20 

21 2. The page fault proxy handler of claim 1 wherein the paging cache is a data translation 

22 lookaside buffer. 

23 

24 3. The page fault proxy handler of claim 1 wherein the predetermined section of 

25 executable memory is a stack. 
26 

27 4. The page fault proxy handler of claim 1 wherein the predetermined section of 

28 executable memory is all executable memory. 
29 
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1 5. The page fault proxy handler of claim 1 wherein the mitigation module comprises a 

2 code termination module. 

3 

4 6. The page fault proxy handler of claim 1 wherein the mitigation module comprises a 

5 logging module. 
6 



7 7. The page fault proxy handler of claim 1 wherein the apparatus is for use with an IA-32 

8 microprocessor. 
9 

10 8. A method for handling page faults, for use with an original page fault handler, the 

1 1 method comprising: 

12 setting a supervisor flag in a page entry table associated with a writable page; 

1 3 detecting a page fault; 

14 determining whether the page fault arises from an attempt by a user mode program 

15 to access the writable page having the associated supervisor flag set; and 

16 conditionally calling the original page fault handler on the basis of the determining 

17 step. 
18 

19 9. The method of claim 8 further comprising: 

20 providing a page fault proxy handler that performs the detecting determining and 

21 conditionally calling steps. 

22 

23 10. The method of claim 9 further comprising: 

24 launching the page fault proxy handler with one or more runtime options. 
25 

26 11. The method of claim 10 wherein the runtime options affect the performance overhead 

27 and/or security efficacy of the page fault proxy handler. 
28 

29 
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1 12. The method of claim 8, further comprising: 

2 determining whether the page fault was caused by an attempt to execute from the 

3 page. 
4 

5 13. The method of claim 12 wherein the page fault is associated with a fault address, and 



6 wherein the step of determining whether the page fault was caused by an attempt to 

7 execute from the page comprises comparing the fault address to the contents of an 

8 instruction pointer. 
9 

10 14. The method of claim 12 further comprising: 

1 1 if the page fault was not caused by an attempt to execute from the page, then 

12 performing at least the following steps: 

13 clearing the supervisor flag in a paging cache associated with the page; 

14 accessing the page after the clearing step; and 

15 setting the supervisor flag after the accessing step. 
16 

17 15. The method of claim 14 wherein the paging cache is a data translation lookaside 

18 buffer. 



20 16. The method of claim 12 further comprising: 

21 terminating the user mode program, if the page fault was caused by an attempt to 

22 execute from the page. 

23 

24 17. The method of claim 16 wherein the terminating step comprises: 

25 injecting termination code in the user mode program; and 

26 changing a return address. 
27 

28 18. The method of claim 16 wherein the terminating step comprises: 

29 prompting an operator whether to terminate the user mode program; and 

30 accepting a response from the operator. 

17 
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2 19. The method of claim 16 wherein the terminating step comprises: 

3 logging an event, if a fault address equals a current execution address. 
4 

5 20. The method of claim 8 further comprising: 

6 determining whether the page fault arises in a predetermined section of memory. 



7 

8 21. The method of claim 20 wherein the predetermined section of memory is all memory. 

9 



10 22. The method of claim 20 wherein the predetermined section of memory is a stack. 
11 

12 23. The method of claim 8 further comprising: 

13 checking whether the page fault is for an existing page of memory. 
14 

15 24. The method of claim 8 further comprising: 

16 checking whether the page fault is for a kernel page of memory. 
17 

18 25. The method of claim 8 wherein the method is performed with an IA-32 

19 microprocessor. 
20 

21 26. An apparatus for use with an original page fault handler, the apparatus comprising: 

22 a means for setting a supervisor flag in a page table associated with a writable 

23 page; 

24 a means for detecting a page fault; 

25 a means for determining whether the page fault arises from an attempt by a user 

26 mode program to access the writable page having the associated supervisor flag set; and 

27 a means for conditionally calling the original page fault handler on the basis of the 

28 determining step. 

29 
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27. A computer readable medium on which is embedded computer software, the software 
performing a method for handling page faults, for use with an original page fault handler, 
the method comprising: 

setting a supervisor flag in a page entry table associated with a writable page; 

detecting a page fault; 

determining whether the page fault arises from an attempt by a user mode program 
to access the writable page having the associated supervisor flag set; and 

conditionally calling the original page fault handler on the basis of the determining 

step. 
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